Create user rules of access to all internal networks and systems with a detailed up to date list of users and their privileges within the system.
The U.S. Congress has recently set new requirements (CMMC) for companies that do business with the Department of Defense (DOD). The company is now required to report any breach of security in their networks to the Department of Homeland Security and be CMMC compliant.
That is an interesting move, as we have all heard of the breaches in many big business networks, which results in the theft of personal information on millions of users. The reason for the change in policy is that it is much easier to get to the source of the breach, as opposed to the compromised information itself.
The DOD has recently had a spate of network security breaches that have compromised the information of individuals, but not the data itself.
The recent case of the Department of Justice (DOJ) and the FBI also highlights the fact that the FBI has access to any information stored in the cloud. This is just one more reason why it is critical for companies to keep an eye on the security of their networks.
CMMC (Cybersecurity Maturity Model Certification) first published in 2020, CMMC will slowly be implemented over the coming five years. CMMC will be a core part of all bidding processes for DoD contracts in the future.
Create user rules of access to all internal networks and systems with a detailed up to date list of users and their privileges within the system.
Know what hardware, software, other technologies have access to the system. Create and document processes from daily backups to disposal of old equipment and destruction of stored data
Track, log and timestamp user access, actions and information contact to CUI assets.
Cybersecurity training must be included in all levels of training incorporating how the employee interacts with the CUI data within their role.
Map all devices and systems which uses and process CUI data.
Unique identification of all users, devices, and every process.
Strong user identification process with a minimum complexity of passwords.
Plan of action for incidents, to detect and contain threats to data
Everything needs maintenance. Create a schedule for systems, hardware, and devices maintenance.
Document system updates and patches to software, hardware, and firmware.
Track all media containing sensitive data and manage the destruction.
Carry out comprehensive background checks during hiring process.
Restricted access to the building and all servers. Maintain a detailed list of employees with their access areas.
System backup schedules and test environments.
Risk management plan. Scan systems and networks for vulnerabilities and risks.
Security audit to identify new vulnerabilities and emerging threats.
Establish processes to identify new risks and threats to the system.
Track external cybersecurity threats
Define network boundaries, especially with the use of cloud-based systems.
Monitor end-point security.
Up-to-date and patched components and software. Schedule regular updates.
There are a number of different levels of compliance. Identify data you will need to use within the contract as it can require different types of compliance.
The National Institute of Standards and Technology (NIST) established NIST 800-172 & NIST 800-171 enhanced security requirements for protecting data government data and incorporated them as part of the certificate.
FCI Federal Contract Information - Data not ever intended for general or public release. You will require CMMC 5 levels certification.
CUI Controlled Unclassified Information - Data is sensitive, but not classified. You will require CMMC 3 Levels certified.